Logstash Plugin
CVEs (11)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-46657 | 0.00 | — | 0.00 | Oct 25, 2023 | Jenkins Gogs Plugin 1.0.15 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token. | |||
| CVE-2023-41936 | 0.00 | — | 0.00 | Sep 6, 2023 | Jenkins Google Login Plugin 1.7 and earlier uses a non-constant time comparison function when checking whether the provided and expected token are equal, potentially allowing attackers to use statistical methods to obtain a valid token. | |||
| CVE-2023-40349 | 0.00 | — | 0.00 | Aug 16, 2023 | Jenkins Gogs Plugin 1.0.15 and earlier improperly initializes an option to secure its webhook endpoint, allowing unauthenticated attackers to trigger builds of jobs. | |||
| CVE-2023-40348 | 0.00 | — | 0.00 | Aug 16, 2023 | The webhook endpoint in Jenkins Gogs Plugin 1.0.15 and earlier provides unauthenticated attackers information about the existence of jobs in its output. | |||
| CVE-2023-32978 | 0.00 | — | 0.00 | May 16, 2023 | A cross-site request forgery (CSRF) vulnerability in Jenkins LDAP Plugin allows attackers to connect to an attacker-specified LDAP server using attacker-specified credentials. | |||
| CVE-2022-46683 | 0.00 | — | 0.01 | Dec 7, 2022 | Jenkins Google Login Plugin 1.4 through 1.6 (both inclusive) improperly determines that a redirect URL after login is legitimately pointing to Jenkins. | |||
| CVE-2022-45393 | 0.00 | — | 0.00 | Nov 15, 2022 | A cross-site request forgery (CSRF) vulnerability in Jenkins Delete log Plugin 1.0 and earlier allows attackers to delete build logs. | |||
| CVE-2022-45394 | 0.00 | — | 0.00 | Nov 15, 2022 | A missing permission check in Jenkins Delete log Plugin 1.0 and earlier allows attackers with Item/Read permission to delete build logs. | |||
| CVE-2020-2143 | 0.00 | — | 0.00 | Mar 9, 2020 | Jenkins Logstash Plugin 2.3.1 and earlier transmits configured credentials in plain text as part of its global Jenkins configuration form, potentially resulting in their exposure. | |||
| CVE-2019-10410 | 0.00 | — | 0.00 | Sep 25, 2019 | Jenkins Log Parser Plugin 2.0 and earlier did not escape an error message, resulting in a cross-site scripting vulnerability exploitable by users able to define log parsing rules. | |||
| CVE-2019-10348 | 0.00 | — | 0.00 | Jul 11, 2019 | Jenkins Gogs Plugin stored credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. |
- CVE-2023-46657Oct 25, 2023risk 0.00cvss —epss 0.00
Jenkins Gogs Plugin 1.0.15 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token.
- CVE-2023-41936Sep 6, 2023risk 0.00cvss —epss 0.00
Jenkins Google Login Plugin 1.7 and earlier uses a non-constant time comparison function when checking whether the provided and expected token are equal, potentially allowing attackers to use statistical methods to obtain a valid token.
- CVE-2023-40349Aug 16, 2023risk 0.00cvss —epss 0.00
Jenkins Gogs Plugin 1.0.15 and earlier improperly initializes an option to secure its webhook endpoint, allowing unauthenticated attackers to trigger builds of jobs.
- CVE-2023-40348Aug 16, 2023risk 0.00cvss —epss 0.00
The webhook endpoint in Jenkins Gogs Plugin 1.0.15 and earlier provides unauthenticated attackers information about the existence of jobs in its output.
- CVE-2023-32978May 16, 2023risk 0.00cvss —epss 0.00
A cross-site request forgery (CSRF) vulnerability in Jenkins LDAP Plugin allows attackers to connect to an attacker-specified LDAP server using attacker-specified credentials.
- CVE-2022-46683Dec 7, 2022risk 0.00cvss —epss 0.01
Jenkins Google Login Plugin 1.4 through 1.6 (both inclusive) improperly determines that a redirect URL after login is legitimately pointing to Jenkins.
- CVE-2022-45393Nov 15, 2022risk 0.00cvss —epss 0.00
A cross-site request forgery (CSRF) vulnerability in Jenkins Delete log Plugin 1.0 and earlier allows attackers to delete build logs.
- CVE-2022-45394Nov 15, 2022risk 0.00cvss —epss 0.00
A missing permission check in Jenkins Delete log Plugin 1.0 and earlier allows attackers with Item/Read permission to delete build logs.
- CVE-2020-2143Mar 9, 2020risk 0.00cvss —epss 0.00
Jenkins Logstash Plugin 2.3.1 and earlier transmits configured credentials in plain text as part of its global Jenkins configuration form, potentially resulting in their exposure.
- CVE-2019-10410Sep 25, 2019risk 0.00cvss —epss 0.00
Jenkins Log Parser Plugin 2.0 and earlier did not escape an error message, resulting in a cross-site scripting vulnerability exploitable by users able to define log parsing rules.
- CVE-2019-10348Jul 11, 2019risk 0.00cvss —epss 0.00
Jenkins Gogs Plugin stored credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.